DeepSec 2013 Talk: Building The First Android IDS On Network Level

René Pfeiffer/ November 13, 2013/ Conference, Development, Security

Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.

Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.

At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts or will drop packets when it sees suspicious headers or payloads.

This open source network-based intrusion detection/protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.

It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:

  • Protocol analysis, focusing on the examination of values within IP, TCP, UDP and ICMP headers
  • Content searching & matching, by analyzing every incoming packet against a database of rules; each rule represents the signature of a security exploit.

The framework architecture consists of:

  • Sensor: runs continuously without human supervision and is capable of analyzing traffic in real time (imposing minimal overhead), sending push alerts to the Android device in order to warn the user about the threat and reports to the Logging Server.
  • Server: runs inside a Linux Box, and receives all the messages the sensor is sending. It’s also responsible for sending updated signatures to remote devices, storing events in the database, detecting statistical anomalies and for real-time analysis.

The IDS rule language is powerful enough to represent current and future security exploits accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind of attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android. IDS rule language converts Snort-like rules to an AndroIDS friendly format. It has also some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap’s probes or changing the TCP header fields to avoid pof’s detection engine.

Android mobile users should start taking security seriously…and attending this talk at DeepSec 2013 is the first step!

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

3 Comments

Comments are closed.